Check: ML09-00-002100
MarkLogic Server v9 STIG:
ML09-00-002100
(in versions v2 r2 through v1 r1)
Title
The audit information produced by MarkLogic Server must be protected from unauthorized deletion. (Cat II impact)
Discussion
If audit data becomes compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods depending on system architecture and design. Some commonly employed methods include: ensuring log files employ the proper file system permissions, utilizing file system protections, restricting access; and backing up log data to ensure log data is retained. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys to make access decisions regarding the deletion of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. When auditing is enabled, MarkLogic Server writes audit events to the AuditLog.txt file. Each host in a cluster maintains its own audit log files. Some actions might trigger multiple audit events, and those events might be logged over multiple hosts, as events are audited on the host in which the event occurs. For more information about the audit events, see Auditable Events. Note the following about the audit event log files: - Writes messages to AuditLog.txt file for various events. - Each event has a timestamp, event type, user, role, and other information relevant to the event (for example, document URI for document-read event). For an example of log entries, see Sample Audit Logs. - How often to rotate the audit files (similar to the log files, as described in Log Files) can be configured. - The Audit log files are stored in the same directory as the Access log files (port_AccessLog.txt) and the Error log files (ErrorLog.txt), which is in the <marklogic-data-dir>/Logs directory. These files are private to the host in which the audit event occurred. - View the current or any archived file log at any time using standard text file viewing tools. Additionally, the log files can be accessed from the Log tab on the main page of the Admin Interface. Deletion of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database.
Check Content
Review controls and permissions are sufficient to protect audit log files from unauthorized access at the operating-system level. Verify User ownership, Group ownership, and permissions on the "audit" file: > ls -al /var/opt/MarkLogic/Logs/AuditLog.txt If the User owner is not "daemon", this is a finding If the Group owner is not "daemon", this is a finding. If the directory is more permissive than 700, this is a finding.
Fix Text
Apply controls and modify permissions to protect audit log files from unauthorized access at the operating-system level. Change owner and group of /var/opt/MarkLogic/Logs to user daemon from the command line with a privileged user: > chown daemon.daemon /var/opt/MarkLogic/Logs Change permissions of /var/opt/MarkLogic/Logs to 700 (rwx by owner only) from the command line > chmod 700 /var/opt/MarkLogic/Logs
Additional Identifiers
Rule ID: SV-220351r879578_rule
Vulnerability ID: V-220351
Group Title: SRG-APP-000120-DB-000061
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000164 |
The information system protects audit information from unauthorized deletion. |
Controls
Number | Title |
---|---|
AU-9 |
Protection Of Audit Information |